Virtually every conversation I have today with customers and prospects inevitably gets around to the subject of security. Ask five developers what security means to them, and you will get five different answers. One thing everyone seems to agree on is that we can’t accept the status quo. For many of us in the embedded software industry for the past decade and a half, security has historically been a back-burner issue. “…it’s somebody else’s problem…” was a frequent quote heard in product development team meetings. Not any more.
The proliferation of connected devices across many industries has morphed into the explosive growth of IoT and IIoT. By some estimates, the number of Internet-connected devices will reach into the many billions in the near future. It is no longer sufficient to simply shut down unnecessary services and restrict access to system services to only privileged users. In fact, my guess is that many consumer-grade devices manufactured today still ship with a single user account, and that user is often the root user, with unlimited access to every service and device in the system. It would take little more than a screwdriver and an adapter cable to gain full access to the box. Some are even easier, leaving a service like telnet or ssh running on a user-facing network port.
The good news is that moving beyond “no security” to something more robust is not necessarily a black art, nor skills exclusive to only a privileged few at the PhD level in computer security. There are several tools and techniques that are relatively easy to integrate into one’s embedded software image that can help you achieve two important goals: 1) analyze your system to determine where the vulnerabilities might exist and 2) add a basic level of system security on top of an already secure (Linux) operating system.
I recently presented a webinar titled “Securing Embedded Devices: From Boot to Applications” where I presented some high level concepts, and then toured some of the tools and utilities that are readily available to embedded developers using Mentor Embedded Linux based on technology from the Yocto Project. You are welcome to view the webinar on-demand as we talked about topics from secure boot, trusted platform modules, SELinux and SMACK and a variety of useful userland tools and utilities designed to analyze and protect your embedded devices from the bad guys. You can view the webinar at Mentor.com at the following url: www.mentor.com/embedded-software/multimedia/securing-embedded-devices—from-boot-to-applications